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(57) When a client server is permitted to be connect- 
ed to a network through a first access point based on 
authentication by an authentication server, the authen- 
tication server informs the first access point of an enci- 
pher key such as a WEP key used for encipher commu- 
nication between the client device and the first access 
point Then, when the client device is moved to a com- 



municable range of a second access point, the authen- 
tication servercreates no new encipher keys but informs 
the second access point of the encipher key used for 
the encipher communication with the first access point, 
whereby encipher communication is executed between 
the client device and the second access point by using 
the same encipher key as that used for the encipher 
communication with the first access point. 
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Description 

BACKGROUND OF THE INVENTION 

Fieid of the Invention 5 

[0001] The present invention relates to a communica- 
tion system, in which a server device informs an access 
point of an encipher key used when a client terminal per- 
forms communication through the access point. 10 

Description of the Related Art 

[0002] Conventionally, in a wireless LAN system, a cli- 
ent terminal has been connected to a network through ^ 
wireless communication with an access point on the net- 
work. 

[0003] There is also a wireless LAN system, in which 
a client terminal receives authentication of connection 
to a network through an access point from an authenti- 20 
cation server on a network. 

[0004] In such a system, when the client terminal re- 
ceives authentication from the authentication server, the 
client terminal and the authentication server create an 
encipher key of a wired equivalent privacy (WEP) enci- 
pher system, and the authentication server informs the 
access point of the created encipher key. Then, the cli- 
ent terminal transfers enciphered data with the access 
point by using the encipher key of the WEP encipher 
system to perform secure wireless communication. 
[0005] Incidentally, a communicable range of the ac- 
cess point is limited to a range reached by electric 
waves. On the other hand, the client terminal can be 
freely moved. Accordingly, the client terminal may be 
moved from a communicable range of an access point 
1 to a communicable range of an access point 2. in this 
case, the client terminal must receive authentication of 
connection to the network from the authentication server 
again through wireless communication with the access 
point 2, the client terminal and the authentication server 
must create a new WEP key, and the authentication 
server must inform the access point 2 of the new WEP 
key. 

[0006] That is, when the client terminal changed the 
access point, re-authentication from the authentication 
server, creation of a new WEP key, informing of a WEP 
key, and the like prolonged the process until communi- 
cation became possible. Consequently the process took 
time. 

[0007] In addition, in a system of many client termi- 
nals, since authentication and creation of a WEP key 
prolonged a process, a load on an authentication server 
inevitably became large. 

[0008] Furthermore, since the process took time 
when the access point was changed, usability was re- 
duced. 



SUMMARY OF THE INVENTION 

[0009] A concern of the present invention is to im- 
prove usability of a system and a device. 
[0010] Another concern of the present invention is to 
shorten time until communication becomes possible 
when a client terminal changes an access point. 
[001 1] Yet another concern of the present invention is 
to reduce a process when a client terminal changes an 
access point. 

[0012] Other features of the present invention will be- 
come apparent upon reading of detailed description and 
drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0013] 

FIG. 1 is a configuration view of a system according 
to an embodiment of the present invention. 
FIG. 2 is a block diagram of an access point accord- 
ing to the embodiment of the invention. 
FIG. 3 is a block diagram of a client terminal accord- 
ing to the embodiment of the invention. 
FIG. 4 is a sequential view showing a system oper- 
ation according to the embodiment of the invention. 
FIG. 5 is a sequential view of the system operation 
according to the embodiment of the invention. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

[0014] Next, description will be made of an embodi- 
ment of the present invention. 

[0015] FIG. 1 is a configuration view of a system ac- 
cording to the embodiment of the invention. 
[0016] A reference numeral 101 denotes a network, 
to which an access point A103, and an access point 
B104 are connected. The two access points are shown 
in FIG. 1, but the number of installed points is not limited 
to two. Each of the access points A103 and B104 can 
perform wireless communication with a client terminal 
105 present in communicable ranges 106, 107. Accord- 
ing to the embodiment, as a wireless communication 
system, a wireless local area network (LAN) based on 
a standard such as IEEE 802. 11, IEEE 802. 11b, or 
IEEE 802. 11a is used. 

[0017] The reference numeral 1 05 is the client termi- 
nal, which is connected to the network 1 01 through wire- 
less communication with the access point A1 03 or B1 04. 
Though not shown in FIG. 1 , a plurality of client terminals 
105 may be present 

[001 8] A reference numeral 1 02 denotes an authen- 
tication server, which authenticates the client terminal 
105 connected to the network 101; and creates an en- 
cipher key used in a wired equivalency privacy (WEP) 
encipher system. 

[0019] FIG. 2 is a block diagram of the access point 
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A103. 

[0020] A case of the access point B1 04 is similar. 
[0021] A reference numeral 201 denotes a wireless 
unit, which transfers wireless data. The wireless unit201 
is constituted of a transmission unit 21 0, a reception unit 
21 1 , and an antenna 21 2. 

[0022] A reference numeral 202 denotes a signal 
process unit, which detects a signal received by the re- 
ception unit 211 to convert it into a digital signal, and 
modulates the signal in order to transmit a digital signal 
sent from a data process unit 203 by wireless. In addi- 
tion, the signal process unit 202 has a function of adding 
a header or the like in order to use data sent from the 
data process unit 203 for wireless transmission, and re- 
moving a header or the like from received data to send 
it to the data process unit 203. 

[0023] The reference numeral 203 is the data process 
unit, which is constituted of a transmission data process 
. unit 205 tor enciphering data from a network interface 
208 by a WEP encipher system, and a reception data 
process unit 206 for decoding enciphered data. 
[0024] A reference numeral 204 denotes a control 
unit, which executes determination of presence of a new 
client terminal 105, control of the entire access point 
A103, and the like. 

[0025] A reference numeral 207 denotes a storage 
unit, which stores an encipher key for WEP enciphering, 
and information regarding an ID or the like of the client 
terminal 105. 

[0026] The reference numeral 208 is the network in- 
terface, which is an interface between the access point 
A103 and the network 101. 

[0027] FIG. 3 is a block diagram of the client terminal 
105. 

[0028] The client terminal 1 05 of the embodiment is 
constituted of a wireless communication card. 
[0029] Functions similar to those of the access point 
A103 shown in FIG. 2 are denoted by similar numerals. 
[0030] A reference numeral 301 denotes a data com- 
munication interface, which is connected to an informa- 
tion processor such as a personal computer to perform 
data communication. 

[0031] A reference numeral 302 denotes a storage 
unit, which stores an encipher key for WEP enciphering, 
and information regarding an ID or the like of the client 
terminal 105 necessary for wireless communication with 
the access point A103 or the access point B104. Ac- 
cording to the embodiment, as an ID of the client termi- 
nal 105, a media access control (MAC) address is used. 
[0032] Next, description will be made an operation of 
the entire system of the embodiment with reference to 
the drawings. 

[0033] First, a process of first connection of the client 
terminal 105 to the network 101 through the access 
point A1 03 is explained by referring to a sequential view 
of FIG. 4. 

[0034] The client terminal 1 05 executes open authen- 
tication in the wireless LAN to be connected to the ac- 



cess point A 103 (S401). 

[0035] The access point A1 03 obtains an ID of the cli- 
ent terminal 105 (S402). 

[0036] The access point A1 03 informs the authentica- 
5 tion server 102 of the ID of the client terminal 105 
(S403). 

[0037] The authentication server 102 determines 
whether authentication for the connection of the client 
terminal 105 to the network 101 has been finished or 

10 "not, based on the ID informed from the access point 
A103 (S404). The client terminal 105 makes the con* 
nection for the first time, and the authentication has not 
been finished. Thus, it is determined that the authenti- 
cation has not been finished. 

15 [0038] The authentication server 1 02 requests the cli- 
ent terminal 105 to input a user name and a password 
(S405). 

[0039] The client terminal 105 inputs the user name 
and the password (S406). 

20 [0040] In order to enhance secrecy of the user name 
and the password inputted in step S406, the client ter- 
minal 105 executes irreversible numerical value 
processing called one-way hash, and informs the au- 
thentication server 1 02 of its one-way hash data (S407). 

25 [0041] The authentication server 102 collates the 
one-way hash data informed in step S407 with a data 
group regarding a user for permitting connection to the 
network 101, which is saved in a database in the au- 
thentication server 1 02. If a result of the collation shows 

30 coincident data, the connection to the network 101 is 
permitted to the client terminal 105, and the ID of the 
client terminal 105 is stored (step S408). 
[0042] The client terminal 1 05 and the authentication 
server 1 02 create an encipher key called a WEP session 

35 key (S409). The WEP session key is an encipher key, 
which is used in the WEP encipher system, and valid 
only for enciphering traffic of the client terminal 105. 
[0043] The authentication server 102 stores the cre- 
ated WEP session key in association with the ID of the 

40 client terminal 105, and informs it to the access point 
A103 (S410). 

[0044] The access point A1 03 enciphers a broadcast 
key with the WEP session key (S411), and sends the 
enciphered broadcast key to the client terminal 105 

45 (S412). The broadcast key is an encipher key, which is 
used when data broadcast from the access point A130 
to a plurality of client terminals 105 is enciphered. 
[0045] The client terminal 105 decodes the enci- 
phered broadcast key by using the WEP session key 

50 created in step S409 to obtain a broadcast key (S41 3). 
[0046] The access point A103 and the client terminal 
105 start WEP encipher sequences (S414, S415). 
[0047] Then, in communication with one client termi- 
nal 105 (point-to-point communication, the access point 

55 A103 transfers data enciphered with the WEP session 
key to perform secure wireless communication (S416). 
In broadcast communication with a plurality of client ter- 
minals 105 (point-to-multipoint communication), the ac- 
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cess point A103 transfers data enciphered with the 
broadcast key to perform secure wireless communica- 
tion (S416). 

[0048] Fig. 5 shows a sequential view of an operation 
when the client terminal 1 05, for which authentication of 
its connection to the network 101 through the access 
point A1 03 has been finished, is moved from the com- 
municable range 106 of the access point A103 to the 
communicable range 107 of the access point B104 to 
be connected to the network 101 through the access 
point B104. 

[0049] The client terminal 105 is moved out of the 
communicable range 106 of the access point A103 to 
be incommunicable with the access point A1 03 (S501 ). 
Then, the client terminal 105 is moved into the commu- 
nicable range 107 of the access point B104 to be com- 
municable with the access point B104. 
[0050] The client terminal 105 executes open authen- 
tication to be connected to the access point B104 
(S502). 

[0051] The access point B1 04 obtains an ID of the cli- 
ent terminal 105 (S503). 

[0052] The access point B1 04 informs the authentica- 
tion server 102 of the ID of the client terminal 105 
(S504). 

[0053] The authentication server 102 determines 
whether authentication for the connection of the client 
terminal 105 to the network 101 has been finished or 
not, based on the ID informed in step S504, and the 
stored ID of the client terminal 105, for which the au- 
thentication has been finished (S505). Here, for the cli- 
ent terminal 105, the authentication of its connection to 
the network 1 01 through the access point A1 03 was fin- 
ished in step S408 (FIG. 4), and the ID of the client ter- 
minal has been stored. Thus, it is determined that the 
authentication has been finished. 
[0054] The authentication server 1 02 instructs the ac- 
cess point A103 to delete the WEP session key stored 
in the storage unit 207 to be used for wireless commu- 
nication with the client terminal 105 (S506). 
[0055] The authentication sever 1 02 informs the ac- 
cess point B104 of the WEP session key stored in as- 
sociation with the ID of the client terminal 105 in step 
S410(FIG. 4) (S507). 

[0056] The access point B1 04 enciphers a broadcast 
key with the WEP session key informed in step S507 
(S508), and sends the enciphered broadcast key to the 
client terminal 105 (S509). 

[0057] The client terminal 105 decodes the enci- 
phered broadcast key by the WEP session key created 
in step S409 {FIG. 4) to obtain a broadcast key (S510). 
[0058] The access point B1 04 and the client terminaf 
105 start WEP encipher sequences (S511 , S512). 
[0059] Then, in communication with one client termi- 
nal 105 (point-to-point communication), the access 
point B104 transfers data enciphered with the same 
WEP session key as that used for the communication 
between the client terminal 105 and the access point 



A103 to perform secure wireless communication 
(S513). in broadcast communication with a plurality of 
client terminals 105 (point-to-multipoint communica- 
tion), the access point B104 transfers data enciphered 
5 with the broadcast key to perform secure wireless com- 
munication (S513). 

[0060] In the embodiment, in step S507, the WEP 
session key stored in the authentication server 102 is 
informed to the access point B104. However, the WEP 
10 session key stored in the access point A103 may be in- 
formed through the authentication server 102 to the ac- 
cess point B104. 

[0061] In the foregoing explanation, the client terminal 
105 was the wireless communication card. However, a 
15 function similar to the wireless communication card may 
be incorporated in a personal computer or personal dig- 
ital assistants (PDA). 

[0062] Needless to say, the object of the present in- 
vention can be achieved by supplying a storage medi- 
ae urn, in which software program codes for realizing the 
functions of the client terminal, the access points, and 
the authentication server are stored, to a system or a 
device, and causing the system or a computer (alterna- 
tively CPU or MPU) of the device to read and execute 
25 the program codes stored in the storage medium. 

[0063] in such a case, the program codes read from 
the storage medium realize the functions of the embod- 
imentthemselves, and the storage medium, in which the 
program codes are stored, constitutes the present in- 
30 vent ion. 

[0064] As the storage medium for supplying the pro- 
gram codes, a ROM, a floppy disk, a hard disk, an optical 
disk, a magneto-optical disk, a CD-ROM, a CD-R, a 
magnetic tape, a nonvolatile memory card or the like can 
35 be used. 

[0065] Needless to say, not only the case of realizing 
the functions of the embodiment by executing the pro- 
gram codes read by the computer, but also a case where 
based on instructions of the program codes, a part or all 

40 of the actual process is executed by an OS or the like 
working on the computer to realize the functions of the 
embodiment are included in the present invention. 
[0066] Furthermore, needless to say, a case where 
the program codes read from the storage medium are 

45 written in a CPU or the like provided in a function exten- 
sion board inserted into the computer or a function ex- 
tension unit connected to the computer and, then, based 
on instructions of the program codes, the CPU or the 
like provided in the function extension board or thef unc- 

50 tion extension unit executes a part or all of the actual 
process to realize the functions of the embodiment is 
included in the present invention. 
[0067] As described above, according to the present 
invention, it is possible to enhance usability of the de- 

55 vice. 

[0068] rt is possible to shorten time until communica- 
tion becomes possible when the client terminal changes 
an access point. 
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[0069] Moreover, it is possible to reduce a process 
when the client terminal changes an access point. 



Claims 5 

1. A communication system comprising: 

creation means for creating an encipher key 
used for communication between a client ter- io 
minal and a first access point when the client 
terminal is permitted to be connected to a net- 
work through the first access point; and 
informing means for informing the first access 
point of the encipher key created by the crea- 15 
tion means, 

wherein the informing means informs a sec- 
ond access point of the same encipher key as that 
informed to the first access point when the client ter- 20 
minal is connected to the network through the sec- 
ond access point. 

2. A server device comprising : 

25 

creation means for creating an encipher key 
. used for communication between a client ter- 
minal and a first access point when the client 
. .terminal is permitted to be connected to a net- 
work through the first access point; and 30 
informing means for informing the first access 
.point of the encipher key created by the crea- 
tion means, 

wherein the informing means informs a sec- 35 
ond access point of the same encipher key as that 
informed to the first access point when the client ter- 
minal is connected to the network through the sec- 
ond access point. 

40 

3. The server device according to claim 2, further com- 
prising: instruction means for instructing the first ac- 
cess point to delete the encipher key when the client 
terminal is connected to the network through the 
second access point. 45 

4. The server device according to claim 2, wherein the 
encipher key which the informing means informs to 
the second access point is an encipher key stored 
when the encipher key is created by the creation so 
means, or an encipher key received from the first 
access point. 

5. A server device for informing an access point of an 
encipher key used when a client terminal performs 55 
communication through the access point, compris- 
ing: 



determination means for determining transition 
of the client terminal from communication 
through a first access point to communication 
through a second access point; and 
informing means for informing the second ac- 
cess point of the same encipher key as that in- 
formed to the first access point based on the _ 
determination of the determination means. 

6. A server device comprising: 

authentication means for authenticating con- 
nection of a client device to a network through 
an access point; 

informing means for informing an access point, 
to which the client device is connected, of an 
encipher key in accordance with a result of the 
authentication by the authentication means; 
and 

determination means for determining whether 
the client device which requests the authenti- 
cation means to execute authentication is a cli- 
ent device or not, for which authentication has 
been finished, 

wherein the informing means informs the ac- 
cess point, to which the client device is connected, 
of a new encipher key in accordance with the deter- 
mination of the determination means. 

7. The server device according to claim 6, wherein the 
informing means informs the access point, to which 
the client device is connected, of a new encipher 
key if the determination means determines that the 
client device which requests the authentication has 
been un authenticated, and the access point, to 
which the client device is currently connected, of the 
same encipher key as that informed to an access 
point in previous authentication if it is determined 
that the client device is the client device, for which 
the authentication has been finished. 

8. A client terminal connected to a network through an 
access point, comprising: 

creation means for creating an encipher key 
used for communication with a first access 
point; and 

communication means for executing encipher 
communication with the first access point by us- 
ing the encipher key created by the creation 
means, 

wherein the communication means uses the 
encipher key used for the encipher communication 
with the first access point even when an access 
point connected for connection to the network is 
changed from the first access point to a second ac- 
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cess point. 

9. The client terminal according to claim 8, further 
comprising: receiving means for receiving a permis- 
sion notice of the connection to the network from an 5 
authentication server, 

wherein the creation means creates the enci- 
pher key in accordance with the reception of the 
permission notice by the receiving means. 

10 

1 0. A control method for a communication system, com- 
prising the steps of: 

creating an encipher key used for communica- 
tion between a client terminal and a first access is 
point when the client terminal is permitted to be 
connected to a network through the first access 
point; and 

informing the first access point of the encipher 
key created by the creation means, 20 

wherein in the informing step, a second ac- 
cess point is informed of the same encipher key as 
that informed to the first access point when the cli- 
ent terminal is connected to the network th rough the 25 
second access point. 

1 1 . A control method for a server device, comprising the 
steps of: 

30 

creating an encipher key used for communica- 
tion between a client terminal and a first access 
point when the client terminal is permitted to be 
connected to a network through the first access 
point; and 35 
informing the first access point of the encipher 
key created by the creation means, 

wherein in the informing step, a second ac- 
cess point is informed of the same encipher key as *o 
that informed to the first access point when the cli- 
ent terminalis connected to the network through the 
second access point. 

12. A control method of a server device for informing an 45 
access point of an encipher key used when a client 
terminal performs communication through the ac- 
cess point, comprising the steps of: 



13. A control method for a server device, comprising the 
steps of: 

authenticating connection of a client device to 
a network through an access point; 
informing an access point, to which the client 
device is connected, of an encipher key in ac- 
cordance with a result of the authentication in 
the authentication step; and 
determining whether the client device which re- 
quests authentication in the authentication step 
is a client device or not, for which authentication 
has been finished; 

wherein in the informing step, the access 
point, to which the client device is connected, is in- 
formed of a new encipher key in accordance with 
the determination in the determination step. 

14. A control method for a client terminal connected to 
a network through an access point, comprising the 
steps of: 

creating an encipher key used for communica- 
tion with a first access point; and 
executing encipher communication with the 
first access point by using the encipher key cre- 
ated in the creation step, 

wherein in the communication step, the enci- 
pher key used for the encipher communication with 
the first access point is used even when an access 
point connected for connection to the network is 
changed from the first access point to a second ac- 
cess point. 



determining transition of the client terminal so 
from communication through a first access 
point to communication through a second ac- 
cess point; and 

informing the second access point of the same 
encipher key as that informed to the first access 55 
point based on the determination of the deter- 
mination step. 



6 



EP 1 322 091 A1 



FIG. 1 



102 



101 



tJ 



tJ 



7" 

103 



105 



7" 

104 



EP 1 322 091 A1 



CM 
CM 



CO 











o 








CO 






o 


CO 














CL. 


CO 


tr 




LU, 

o!= 

LUZ 


<c 








1— 


ZD 







CM 
CD 
CM 




8 



EP 1 322 091 A1 



> 



CM 
CM 



to 







o 




CO 




CO 




CO 




<: 






h- 





CO 

CD 



o 

CM 



O 
Si 

lu: 

or: 



CM 

cr> 

CM 



CO 

4 co 
Znt 

COCL.3D 



CM 



i 

CM 



CO 
CD 
CM 



CM 



<c 

Q 



S3 

COLU 

artr 
h-cu 



Qco 
pco 

Q.UU 
UJO 

OO 

UJCC 
0CQ_ 



cu 
o 

CO 



O 

cc 



o: 
o: 



LU 

CD 

<c 
cc. 



CO 
CM 



CO 



9 



EP 1 322 091 A1 



FIG. 4 
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FIG. 5 
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